Forwarded From: Aleph One <aleph1at_private> http://www.sddt.com/files/library/98/06/25/tbc.html Source Programmers Discover Internet Server Bug Daily Transcript Business Report June 25, 1998 Programmers at San Diego Source, the online news service of the San Diego Daily Transcript, have discovered a security hole affecting Web server software from both Netscape Communications and software and book publisher O'Reilly & Associates. The bug, allowing for the display of sensitive programming code being served by Windows NT and Windows 95 versions of Netscape Enterprise and O'Reilly & Associates' WebSite Professional, can be used by hackers to glean information considered by programmers to be invisible. The bug could allow for easy display of private documents featuring database passwords, user names and even programming codes that make events occur but are not meant for public perusal. So far the flaw has been shown to affect only machines running under the Windows operating system, but it is not clear if these are the only two Web server programs affected. Netscape Communications, which was notified about the bug via its Developer Forum on Friday, has been working with the Daily Transcript and is investigating the issue. On Tuesday, when it was discovered that WebSite Professional also was vulnerable, O'Reilly & Associates was alerted as well. Before either company had confirmed the bug's existence, Source programmers were able to view unprocessed server-side scripts on dozens of Web sites, including a server at Berkeley and www.osa.com, which belongs to O'Reilly & Associates. Because publishing specific details about the bug would leave countless Web sites vulnerable, the Daily Transcript has agreed not to describe exactly how the bug works until both companies have had a chance to issue a patch. The bug, however, is similar to a Microsoft Internet Information Server glitch that surfaced last year and since has been patched "With that bug, you could tack a period to the end of a file name and get the same results that we're seeing here," said Leland Baker, an NT administrator and programmer at the Transcript who found the new bug. "This was a problem because hackers could look at the contents of unprocessed active server pages, which can contain Perl and VBScript with sensitive information." Microsoft scrambled to patch that glitch after CNET published details on how to exploit it. The patch was successful, and Microsoft's IIS is not vulnerable to the new bug. But a quick visit to a site running a third-party program processing active server pages (ASPs) under Netscape Enterprise revealed that, once again, the unprocessed contents of ASPs can be viewed, so Microsoft's latest patch only protects applications running under IIS. Bob Denny, lead developer for O'Reilly & Associates' WebSite Professional project, said the new bug stems from the fact that users can pass a file name containing extra characters to the NT/95/98 operating system. Windows will accept the file name and open a file by the same name, except with the trailing characters removed. "We consider this a serious security problem," Denny said. "The 2.3 release of WebSite Pro is scheduled imminently (within days). We have already implemented a fix for this problem, and the fix will be available to our customers in the 2.3 version." "The bug is dangerous because it doesn't take a hacker to exploit it," said Joseph Schmitt II, a system administrator for San Diego Source who helped identify the new glitch. "When virtually any user can visit your site and view the source code for an application, which sometimes includes vital system information, there's a real security threat. This bug may well affect the security of any file accessible via a URL address, compiled or otherwise." Jim Obsitnik, Netscape's Enterprise Server product manager, said engineers at Netscape also were able to confirm the bug's existence, and he indicated a patch would be issued early next week. "We've taken a look at it. The bug is a new one, and we're looking for the best way to get it out." Obsitnik said. The fix will also be included with the next point release of Enterprise, due to ship in September. Obsitnik indicated that the bug could leave any server-side script vulnerable, including some compiled and uncompiled executable files. Server-side scripts are a sort of hybrid programming language, combining standard HTML tags with tags developed by third-party vendors to allow for dynamic content in Web pages. These scripts, processed by a program residing on the server rather than by the client's browser, commonly are used to integrate the contents of large databases with Web pages. The end user sees only the information requested, usually based on their input into a search page. Allaire Cold Fusion, a popular and powerful database integration tool, is one such program. "The bug not only exposes the inner workings of a developer's own applications," said Ben Forta, long-time Cold Fusion developer and Allaire's product spokesman. "It could also expose highly confidential data like network and database login names and passwords." If hackers can view this information, it may be possible for them to alter or even delete data. While helping Netscape pinpoint which sites were affected, Baker and Schmitt discovered that servers running Web Site Professional, a popular Web server package from O'Reilly & Associates, also were vulnerable. "I viewed the source of one of their Cold Fusion scripts and then e-mailed it to them," Baker said. "The guy I initially talked to there was very concerned." The bug is especially important to developers because entire applications -- even entire sites -- are built using Cold Fusion markup language (CFML) and ASP. Cold Fusion ships with a program to encrypt CFML pages, but the utility introduces a sometimes difficult layer to the administration process. "A lot of times, developers will encrypt a Cold Fusion application if they sell it so that the source code can't be reused or modified," Baker said. "But encrypting an entire site can be difficult to manage. Any bug fixes or modifications would have to be made to an unencrypted file, moved and re-encrypted. When you're dealing with a large number of files, this can seem like a tedious process until you get used to it." San Diego Source, at www.sddt.com, features numerous databases using CFML to provide information on commercial leases, home purchases, the San Diego Stock Exchange and more. Since discovering the bug, however, San Diego Source has taken these extra steps to encrypt every CFML script on the site to protect the integrity of the databases. _________________________________________________________________ -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:14 PDT